* or (at your option) any later version.
*
* Changes:
+ * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
+ * - Added some sanity checks on login names to avoid
+ * users bypassing equality checks by exploring the
+ * overly helpful match capabilities of LDAP
* 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
* - Corrected non-persistent mode to only issue one
* ldap_bind per connection.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <ctype.h>
#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */
return ld;
}
+/* Make a sanity check on the username to reject oddly typed names */
+static int
+validUsername(const char *user)
+{
+ const unsigned char *p = user;
+
+ /* Leading whitespace? */
+ if (isspace(p[0]))
+ return 0;
+ while(p[0] && p[1]) {
+ if (isspace(p[0])) {
+ /* More than one consequitive space? */
+ if (isspace(p[1]))
+ return 0;
+ /* or odd space type character used? */
+ if (p[0] != ' ')
+ return 0;
+ }
+ p++;
+ }
+ /* Trailing whitespace? */
+ if (isspace(p[0]))
+ return 0;
+ return 1;
+}
+
int
main(int argc, char **argv)
{
}
rfc1738_unescape(user);
rfc1738_unescape(passwd);
+ if (!validUsername(user)) {
+ printf("ERR\n");
+ continue;
+ }
tryagain = (ld != NULL);
recover:
if (ld == NULL && persistent)
projects / thirdparty / squid.git / commitdiff
